ALAS2-2020-1475

Amazon Linux 2 Security Advisory: ALAS-2020-1475
Advisory Release Date: 2020-08-18 19:31 Pacific
Advisory Updated Date: 2020-08-25 00:00 Pacific
Severity: Medium
Issue Overview:

It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference. (CVE-2019-3890)


Affected Packages:

evolution-data-server, evolution-ews


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update evolution-data-server to update your system.
Run yum update evolution-ews to update your system.

New Packages:
aarch64:
    evolution-data-server-3.28.5-4.amzn2.0.1.aarch64
    evolution-data-server-devel-3.28.5-4.amzn2.0.1.aarch64
    evolution-data-server-perl-3.28.5-4.amzn2.0.1.aarch64
    evolution-data-server-tests-3.28.5-4.amzn2.0.1.aarch64
    evolution-data-server-debuginfo-3.28.5-4.amzn2.0.1.aarch64
    evolution-ews-3.28.5-5.amzn2.aarch64
    evolution-ews-debuginfo-3.28.5-5.amzn2.aarch64

i686:
    evolution-data-server-3.28.5-4.amzn2.0.1.i686
    evolution-data-server-devel-3.28.5-4.amzn2.0.1.i686
    evolution-data-server-perl-3.28.5-4.amzn2.0.1.i686
    evolution-data-server-tests-3.28.5-4.amzn2.0.1.i686
    evolution-data-server-debuginfo-3.28.5-4.amzn2.0.1.i686
    evolution-ews-3.28.5-5.amzn2.i686
    evolution-ews-debuginfo-3.28.5-5.amzn2.i686

noarch:
    evolution-data-server-langpacks-3.28.5-4.amzn2.0.1.noarch
    evolution-data-server-doc-3.28.5-4.amzn2.0.1.noarch
    evolution-ews-langpacks-3.28.5-5.amzn2.noarch

src:
    evolution-data-server-3.28.5-4.amzn2.0.1.src
    evolution-ews-3.28.5-5.amzn2.src

x86_64:
    evolution-data-server-3.28.5-4.amzn2.0.1.x86_64
    evolution-data-server-devel-3.28.5-4.amzn2.0.1.x86_64
    evolution-data-server-perl-3.28.5-4.amzn2.0.1.x86_64
    evolution-data-server-tests-3.28.5-4.amzn2.0.1.x86_64
    evolution-data-server-debuginfo-3.28.5-4.amzn2.0.1.x86_64
    evolution-ews-3.28.5-5.amzn2.x86_64
    evolution-ews-debuginfo-3.28.5-5.amzn2.x86_64

Additional References

Red Hat: CVE-2019-3890

Mitre: CVE-2019-3890